[email protected] wrote: > Full_Name: Yann Verry > Version: 2.4.39 > OS: debian/sid > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (2a01:e35:2e6d:c800:d572:aec:1b42:380c)
This is purely a TLS issue, OpenLDAP has nothing to do with it. Ask for help on a gnutls support forum. Closing this ITS. > > > Hi, > > I would like (CACert sign class3 now with SHA512) to switch my X509 > certificate > with a signature algorithm SHA512. > When I do this openldap bind on SSL port but was unable to provide SSL > connection as you can see in error: > > 2014-05-31T00:20:46.852821+02:00 peach slapd[23997]: >>> > slap_listener(ldaps:///) > 2014-05-31T00:20:46.853369+02:00 peach slapd[23997]: connection_get(35): got > connid=1068 > 2014-05-31T00:20:46.853891+02:00 peach slapd[23997]: connection_read(35): > checking for input on id=1068 > 2014-05-31T00:20:46.854526+02:00 peach slapd[23997]: connection_read(35): TLS > accept failure error=-1 id=1068, closing > 2014-05-31T00:20:46.855071+02:00 peach slapd[23997]: connection_close: > conn=1068 > sd=35 > > If I fall back to sha256 it works fine > > > How to reproduce > ================ > > - generate self signed with sha256 and sha512: > > mkdir -p /etc/ldap/ssl > cd !$ > > # priv > certtool --generate-privkey --sec-param normal --outfile mypriv_normal.key > > # self > certtool -s --load-privkey mypriv_normal.key --outfile gnutls512_normal.crt > --hash SHA512 > certtool -s --load-privkey mypriv_normal.key --outfile gnutls256_normal.crt > --hash SHA256 > > # build PEM > cat mypriv_normal.key gnutls512_normal.crt > gnutls512_normal.pem > cat mypriv_normal.key gnutls256_normal.crt > gnutls256_normal.pem > > > my cn=config: > > olcTLSCACertificateFile: /etc/ldap/ssl/sslcertificate.pem > olcTLSCertificateFile: /etc/ldap/ssl/sslcertificate.pem > olcTLSCertificateKeyFile: /etc/ldap/ssl/sslcertificate.pem > > now just play with symlink. > > sha256 > ------ > > ln -s gnutls256_normal.pem sslcertificate.pem ; then restart openldap > > make a client connection: > > gnutls-cli ldap.verry.org -p 636 > Resolving 'ldap.verry.org'... > Connecting to '2a01:e35:2e6d:c800:cafe:deca:0:42:636'... > - Certificate type: X.509 > - Got a certificate list of 1 certificates. > - Certificate[0] info: > - subject `CN=ldap.verry.org', issuer `CN=ldap.verry.org', RSA key 2432 > bits, > signed using RSA-SHA256, activated `2014-05-31 08:26:59 UTC', expires > `2024-05-28 08:27:03 UTC', SHA-1 fingerprint > `600b2a502289644c075d4b3eaf7b1efd38685687' > - The hostname in the certificate matches 'ldap.verry.org'. > - Peer's certificate issuer is unknown > - Peer's certificate is NOT trusted > - Version: TLS1.2 > - Key Exchange: RSA > - Cipher: AES-128-CBC > - MAC: SHA1 > - Compression: NULL > - Handshake was completed > > - Simple Client Mode: > > > server view, it's OK: > > 538909bf conn=1007 fd=32 TLS established tls_ssf=256 ssf=256 > > > > sha512 > ------ > rm previous symlink and ln -s gnutls512_normal.pem sslcertificate.pem ; then > restart openldap > > make a connection: > > gnutls-cli ldap.verry.org -p 636 > Resolving 'ldap.verry.org'... > Connecting to '2a01:e35:2e6d:c800:cafe:deca:0:42:636'... > *** Fatal error: A TLS packet with unexpected length was received. > *** Handshake has failed > GnuTLS error: A TLS packet with unexpected length was received. > > server view: > > TLS: can't accept: Could not negotiate a supported cipher suite.. > 538909f9 connection_read(28): TLS accept failure error=-1 id=1000, closing > 538909f9 connection_closing: readying conn=1000 sd=28 for close > 538909f9 connection_close: conn=1000 sd=28 > 538909f9 daemon: removing 28 > 538909f9 conn=1000 fd=28 closed (TLS negotiation failure) > > > > gnutls > ====== > > gnutls-cli -l|grep SHA512 > MACs: SHA1, MD5, SHA256, SHA384, SHA512, SHA224, UMAC-96, UMAC-128, AEAD > Digests: SHA1, MD5, SHA256, SHA384, SHA512, SHA224 > PK-signatures: SIGN-RSA-SHA1, SIGN-RSA-SHA1, SIGN-RSA-SHA224, SIGN-RSA-SHA256, > SIGN-RSA-SHA384, SIGN-RSA-SHA512, SIGN-RSA-RMD160, SIGN-DSA-SHA1, > SIGN-DSA-SHA1, > SIGN-DSA-SHA224, SIGN-DSA-SHA256, SIGN-RSA-MD5, SIGN-RSA-MD5, SIGN-RSA-MD2, > SIGN-ECDSA-SHA1, SIGN-ECDSA-SHA224, SIGN-ECDSA-SHA256, SIGN-ECDSA-SHA384, > SIGN-ECDSA-SHA512 > > I can provide more information as needed to solve this issue > > Regards, > Yann > > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
